/security

Boring, on purpose.

You're about to upload your entire customer book into a new system. The least we owe you is a clear account of how it's kept — who can see what, where it lives, and how fast we can answer a regulator. No theatre, no badges we haven't earned.

/tenant isolation

Multi-tenant by design

Your data is isolated at the platform level, not left to a filter someone might forget. Cross-tenant access is structurally prevented, and the test suite asserts isolation holds.

/data residency

Region-pinned or self-hosted

Choose a region for hosted deployments, or run the same build in your own cloud for strict residency regimes. Per-tenant encryption contexts keep sensitive fields sealed.

/audit trail

Versioned on every model

Every record is change-logged into an account-scoped history, so a KVKK / GDPR access or rectification request is answered in minutes, not weeks.

/access control

Granular RBAC + field masking

Owner / admin / manager / staff plus custom roles, scoped to companies and branches. Field-level masking hides PII and money from roles that shouldn't see them — in the UI and in exports.

/ai governance

You decide what AI may touch

Disable AI per account or per feature, pin a residency, and set a lawful basis per customer. PII is tokenised before it leaves for a provider; every call is logged with its basis snapshotted.

/abuse detection

Quiet, boring guardrails

Sanctions-country blocks, per-account IP allowlists, and rate limiting on sensitive actions. Security that doesn't get in the operator's way.

/compliance

Regulatory posture

KVKK: Turkey
GDPR: EU + UK
CCPA: California

Jurisdiction-specific DPAs are published at /legal/dpa; the live sub-processor list is at /legal/subprocessors. Data export and account-level erasure are self-service — no support ticket, no hostage-taking.

Due-diligence questions?

Security reviews and DPAs — reach the compliance desk directly at compliance@lydira.com.

Talk to us → Start free